Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Unable to manage device via SSL (HTTPS to the device) when using Firefox browser version 32 and later

0

0

Article ID: KB30330 KB Last Updated: 27 Dec 2017Version: 2.0
Summary:

Users are unable to access a ScreenOS device via HTTPS while using Firefox Browser Version 32. This is not an issue with Internet Explorer.

Symptoms:

User is trying to access a ScreenOS device via HTTPS which has default self-signed certificate configured. When accessing this, you will get a Firefox Browser page, displaying the message, "This connection is Untrusted". Normally, you would click I Understand the Risk:



 

and then click Add Exceptions.



Usually, after clicking Add Exceptions, it should proceed normally to the desired page. However, with Firefox version 32, it doesn't do anything & it just stays there.

Cause:

Beginning with version 32, Firefox no longer accepts certificates with 1024-bit RSA keys. 

​This has been deemed insecure, and the resolution is to re-configure the ScreenOS device to include a 2048-bit RSA key for the self-signed certificate. 

If you have other devices that use 1024-bit RSA keys for default self-signed certificates, you will have to do the same procedure for those devices as well.

Solution:

The resolution is to configure a local certificate signed with a 2048-bit RSA key (the default is to use a 1024-bit RSA key). 
 
This requires creating a new key-pair using a 2048-bit RSA key. 

​Please refer to KB16739 - How to manually generate a new system self-signed certificate to replace the expired system self-signed certificate without resetting the firewall for details on configuring a new key-pair, local certificate, and self-signed certificate using a 2048-bit RSA key. In Step 2, use the command exec pki rsa new-key 2048 instead of exec pki rsa new-key 1024 to generate a 2048-bit long key-pair.

Even after configuring this, you may still run into issues accepting the new certificate.  If you do, you may have to clear out the exception lists, by deleting the cert_override.txt and cert8.db file from your Firefox profile folder.  For instructions on navigating to your profile folder, please see http://kb.mozillazine.org/Profile_folder_-_Firefox

Modification History:
2017-12-27: Article reviewed for accuracy. Minor grammatical change done. Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search